NIST SPECIAL PUBLICATION 1800-19
Trusted Cloud:
Trusted Cloud¶
Security Practice Guide for VMware Hybrid Cloud Infrastructure as a Service (IaaS) Environments
Includes Executive Summary (A); Approach, Architecture, and Security Characteristics (B); and How-To Guides (C)
Michael Bartock
Donna Dodson*
Murugiah Souppaya
Daniel Carroll
Robert Masten
Gina Scinta
Paul Massis
Hemma Prafullchandra*
Jason Malnar
Harmeet Singh
Rajeev Ghandi
Laura E. Storey
Raghuram Yeluri
Tim Shea
Michael Dalton
Rocky Weber
Karen Scarfone
Anthony Dukes
Jeff Haskins
Carlos Phoenix
Brenda Swarts
*Former employee; all work for this publication was done while at employer
April 2022
FINAL
This publication is available free of charge from https://doi.org/10.6028/NIST.SP.1800-19
The draft publication is available free of charge from https://www.nccoe.nist.gov/publications/practice-guide/trusted-cloud-vmware-hybrid-cloud-iaas-environments-nist-sp-1800-19-draft
NIST SPECIAL PUBLICATION 1800-19
Trusted Cloud: Security Practice Guide for VMware Hybrid Cloud Infrastructure as a Service (IaaS) Environments
Includes Executive Summary (A); Approach, Architecture, and Security Characteristics (B); and How-To Guides (C)
Michael Bartock
Donna Dodson*
Murugiah Souppaya
NIST
Daniel Carroll
Robert Masten
Dell/EMC
Gina Scinta
Paul Massis
Gemalto
Hemma Prafullchandra*
Jason Malnar
HyTrust
Harmeet Singh
Rajeev Ghandi
Laura E. Storey
IBM
Raghuram Yeluri
Intel
Tim Shea
Michael Dalton
Rocky Weber
RSA
Karen Scarfone
Scarfone Cybersecurity
Anthony Dukes
Jeff Haskins
Carlos Phoenix
Brenda Swarts
VMware
FINAL
April 2022
U.S. Department of Commerce
Gina M. Raimondo, Secretary
National Institute of Standards and Technology
Laurie Locasio, Under Secretary of Commerce for Standards and Technology & Director, National Institute of Standards and Technology
- 1 Summary
- 2 How to Use This Guide
- 3 Approach
- 4 Architecture
- 5 Security Characteristics Analysis
- 5.1 Assumptions and Limitations
- 5.2 Demonstration of the Capabilities
- 5.2.1 Use Case Scenario 1: Demonstrate Control and Visibility for the Trusted Hybrid Cloud Environment
- 5.2.2 Use Case Scenario 2: Demonstrate Control of Workloads and Data Security
- 5.2.3 Use Case Scenario 3: Demonstrate a Workload Security Policy in a Hybrid Cloud
- 5.2.4 Use Case Scenario 4: Demonstrate Recovery From an Unexpected Infrastructure Outage
- 5.2.5 Use Case Scenario 5: Demonstrate Providing Visibility into Network Traffic Patterns
- 5.2.6 Use Case Scenario 6: Demonstrate Application Zero Trust
- Appendix A Mappings
- Appendix B List of Acronyms
- Appendix C Glossary
- Appendix D References
- 1 Introduction
- 2 Dell EMC Product Installation and Configuration Guide
- 3 Gemalto Product Installation and Configuration Guide
- 4 HyTrust Product Installation and Configuration Guide
- 5 IBM Product Installation and Configuration Guide
- 5.1 ICSV Deployment
- 5.2 Enable Hardware Root of Trust on ICSV Servers
- 5.2.1 Enable Managed Object Browser (MOB) for each ESXi Server
- 5.2.2 Enable TPM/TXT on SuperMicro hosts
- 5.2.3 Enable TPM/TXT in IBM Cloud
- 5.2.4 Validate the TPM/TXT is enabled
- 5.2.5 Check the vCenter MOB to see if the TPM/TXT is enabled
- 5.2.6 Set up Active Directory users and groups
- 5.2.7 Join vCenter to the AD domain
- 5.2.8 Add AD HyTrust-vCenter service user to vCenter as Administrator
- 5.2.9 Add AD HyTrust-vCenter service user to vCenter Global Permissions
- 5.2.10 Configure HTCC for AD authentication
- 5.3 Add Hosts to HTCC and Enable Good Known Host (GKH)
- 6 Intel Product Installation and Configuration Guide
- 7 RSA Product Installation and Configuration Guide
- 8 VMware Product Installation and Configuration Guide
- 8.1 Prerequisites
- 8.2 Installation and Configuration
- 8.3 Configuration Customization Supporting the Use Cases and Security Capabilities
- 8.3.1 Example VVD 5.0.1 Configuration: Configure the Password and Policy Lockout Setting in vCenter Server in Region A
- 8.3.2 Example VVD 5.0.1 Configuration: Configure Encryption Management in Region A
- 8.3.3 Example vRealize Automation DISA STIG Configuration: Configure SLES for vRealize to protect the confidentiality and integrity of transmitted information
- 8.3.4 Example vRealize Operations Manager DISA STIG Configuration: Configure the vRealize Operations server session timeout
- 8.4 Operation, Monitoring, and Maintenance
- 8.5 Product Configuration Overview
- Appendix A Security Configuration Settings
- Appendix B List of Acronyms
- Appendix C Glossary